Bug#785326: libavcodec56: CVE-2014-7937 - Multiple off-by-one errors in libavcodec/vorbisdec.c
Arne Wichmann
aw at anhrefn.saar.de
Sat May 16 13:28:44 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
begin quotation from Sebastian Ramacher (in <20150516130757.GA21093 at ramacher.at>):
> On 2015-05-15 15:22:28, Alessandro Ghedini wrote:
> > On Fri, May 15, 2015 at 11:05:17AM +0200, Sebastian Ramacher wrote:
> > > Version: 6:11.3-1
> > >
> > > On 2015-05-14 20:41:15, Arne Wichmann wrote:
> > > > Package: libavcodec56
> > > > Version: 6:11.3-2
> > > > Severity: grave
> > > > Tags: security
> > > > Justification: user security hole
> > > >
> > > > Hi, as far as I can see this has not yet been reported or fixed:
> > > >
> > > > CVE-2014-7937 : Multiple off-by-one errors in libavcodec/vorbisdec.c in
> > > > FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow
> > > > remote attackers to cause a denial of service (use-after-free) or possibly
> > > > have unspecified other impact via crafted Vorbis I data [1]
> > > >
> > > > I marked this as grave as the impact is unclear and might include arbitrary
> > > > code execution. Feel free do downgrade if this can be ruled out.
> > > >
> > > > (Actually I would like to have a look at the test case to check a bit more
> > > > thoroughly, but AFAICS I would need to talk to google for this.)
> > > >
> > > > [1] https://security-tracker.debian.org/tracker/CVE-2014-7937
> > > > https://lists.libav.org/pipermail/libav-devel/2015-January/066433.html
> > >
> > > A similar commit to the one maintained in this mailing list post was applied to
> > > 11.3. So closing with that version.
> >
> > Do you mean the patch at [0]? Honestly it doesn't look like the ffmpeg patch at
> > all, and the commit message doesn't even mention the bug fix. How can you be so
> > sure that the bug is fixed?
>
> I might have read the commit wrong. Do you have a sample for this CVE?
There is one referenced in various messages relating to CVE-2014-7937:
asan_heap-uaf_18dac2b_9_asan_heap-uaf_22eb375_208_beta3_test_small.ogg
unfortunately it is not publicly available AFAICS. You might ask upstream
about it.
cu
AW
- --
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw at linux.de)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVV0YMAAoJEENYfBy4DUs++FAP/j6NA8gP37qu4hHTFK9rKc+3
ddj3sClTKQ3d8aC2xq3+rgxjUo35YiPgY3sdcTb4Sni5rm8acHpo0NdDlkpPdFS4
gR3nx3t0GEAqe55aLzUls6Rq9U9fWwHrhjl+Kbhr6zNR+XtXoDMj12GA3ICcJp7J
ucvMZtpbJhaTJwvqsljn7IAvjgdikAdtxiRqPXHbeAAwKYJkU5Bdlu9eB+YtXABF
IAHU8Qyc4PaJ4o/kbv+C5IBk8ILqhZPjTNSdljJryJTPBkH/R5P9VFjJs/rcSh8O
nB2bUmXcRX/+tw5GFcLvYrpivylCpQPLebp2gQjoAUuj8ARS931pGEiFxThqffP+
53F+lG/tIXpO53Yn/CpoOkGm0sjgApSRDgCwJsgy2HkUi8CN66mBt03nciEfPvG6
om60Oa0Mj+BoevtiQeaXRgXI/bsKDz57sUuhOlGY6LbfNbAWew90ns+q1CWTDW/8
uAsi8SgKjVKp3lM8f3TR73GIOMVn8lNAgnSyrbVVGke7nHO0AjwdeV/Ld6So6fWG
1ELvZyzkn/BI6V3W29IjcKlo7ncS9bv6CU1z+vToW2FPUitazS3P2cdr069KyKyH
bU8hQPkqDp2jwMMk4DDojS5ue8VhFj0yazhMKYJB7KSzjf57qgegjipEvKQlN5HT
FFVJBtD94jGVHzspGh0s
=lqqu
-----END PGP SIGNATURE-----
More information about the pkg-multimedia-maintainers
mailing list